A botnet is a network of (normally) unwitting computers hijacked
by a third party, and used to launch some kind of malicious
attack, or just to overwhelm a web site or server with fake
requests or traffic.

Exacerbating the criticism is the fact that Hola is openly
selling its users' bandwidth via a commercial side project called
Luminati, and researchers claim to have discovered a number of
serious security vulnerabilities in the software.

Then, following the publication of two highly critical reports
from security researchers, one
accusing the company of "negligence, plain and simple," we
reached out to Vilenski again. He told me the company has
experienced some "growing pains," but that the security issues
have since been patched — and hopes to grow into a "great billion
dollar company."

What is Hola?

Based in Israel, Hola has 75 employees (around 35 of which are
developers), and has received more than $20 million in venture
capital funding since its launch. Before the current firestorm it
had enjoyed positive press coverage,
including CNN Money and
here on Business Insider. Its website says it has more than
47 million users around the world.

So what does it do?

Hola lets users access websites that are unavailable or censored
on their connections. A user might want to circumvent a
workplace's block on Facebook, or to access a video streaming
service not available in their country. To do this, Hola uses
what is known as a VPN, or virtual private network.

Most commercial VPN services require users to pay to use them,
but Hola is totally free (though offers a paid option). Why?
Because while most companies like this own or rent dedicated
servers to act as "exit nodes" through which the user accesses
the internet, Hola pursues a different approach.
Everyone is an exit node.

So, for example, when a British user sets their location on the
tool as Norway, their internet traffic is being routed through
the connection of a randon Norwegian user on the Hola network.
And simultaneously, the British user's connection may be used as
the exit node for a South African user to connect to the web.
It's a peer-to-peer network that does away with the need for
dedicated hardware — allowing it be offered as a free service.

Hola doesn't hide the fact it works on a peer-to-peer system,
although it wasn't always immediately clear from the website that
users will by default act as an exit node. (Users can also pay a
premium subscription fee to opt out of this.)

Hola also sells its users' bandwidth

Hola also operates a second service — one that sells Hola users'
bandwidth for profit. It's called Luminati, and its customers can
hire the Hola network for their own purposes. The company
suggests it can be used for brand monitoring or anti ad-fraud
checks, but a salesperson told
security researchers that the company has "no idea what
[customers] are doing on our platform."

This can have dangerous implications — as Fredrik Brennan found
out. He claims the Hola network was used to attack his website
last week.

Brennan, often known by the online moniker "Hotwheels," is the
administrator of 8chan, a countercultural online messageboard.
The site was targeted by thousands of "legitimate-looking" posts,
he wrote in a blog post,
"prompting a 100x spike over peak traffic."

The Hola network — and the computers of users on it — had been
used as a giant botnet, a network of hijacked machines intended
to overwhelm the site, Brennan claims.

Before recent events, there was only a brief acknowledgement on
Hola's site that the network might be used for "commercial" purposes, and no
mention at all of Luminati, which has been in operation since
at
least October 2014. (A fuller explanation has since
been added.) As such, it's doubtful that many users realise
Hola is selling their bandwidth.

"Even if they had said it all along in their FAQ," wrote one
commenter on news site Hacker News, "it's still infuriatingly
disingenuous for someone to act as if anyone ever browses to
Hola's site and reads their FAQ either before or after installing
the Hola malware extension. No ordinary person will ever do
this."

Vilenski did not comment on how many clients Luminati has.

Security researchers pile on

Vilenski confirmed that Luminati had been used to mount the
attack, though he told me last week that there was nothing
uniquely vulnerable about Hola's VPN — the hacker "could have
used any commercial VPN network, but chose to do so with ours."
The attacker has since been blocked from the service.

Since then, however, security researchers have pointed out a
number of further vulnerabilities in Hola's software.

Makes users less secure by "[sending] traffic of strangers
through your internet connection" — a reference to Hola's
peer-to-peer model where everyone is an exit node.

"[Sells] access to third parties, and [doesn't] care what
it's used for." When a researcher asked the
company how it enforces its terms of service for Luminati, the
company responded "we don't... we have no idea what you
are doing on our platform."

Lets "anybody execute code on your computer." The researchers
say they found a vulnerability in Hola that lets websites
remotely execute code on a user's computer. They built an example
that opened a calculator on Windows users' computers — but it
could also be used for far more malicious purposes. Here's a
video of the demonstration:

Following the publication of the report, Hola moved to patch the
vulnerabilities, and Vilenski told me that the security
vulnerabilities have now been fully patched.

But an update to the Adios Hola post disputes this, saying that
"many of the issues are ignored, and some claims [in a Hola
statement] are simply false."

It continues: "The vulnerabilities are *still* there, they just
broke our vulnerability checker and exploit demonstration. Not
only that; there weren't two vulnerabilities, there were
six."

Vilenski countered that he disagrees, and that he cares "more
about my users than what that website says." He invites the
researchers behind Adios Hola to present details of the six
vulnerabilities that are allegedly still in effect.

That's not all: Vulnerabilties in Hola have allegedly been
exploited in the past. A second security report, this
time from Vectra, discovered 5 pieces of malware online "that
contain the Hola protocol."

If true, this means that anyone who has used Hola in the past
may have been actively targeted by hackers.

"Unsurprisingly," Vectra writes, "this means that bad guys had
realised the potential of Hola before the recent flurry of public
reports by the good guys."

Vilenski confirmed to me Hola was not aware of its
vulnerabilities until the publication of the first report.

But Hola users may not understand the technical details of how
their computers are being used by the company, and unless they
visit the website again, they're unlikely to find out — because
as Vilenski told me, the company has made no attempt to contact
existing users to explain how the tool works or that their
bandwidth is being sold for profit. Hola can't contact
them. It apparently has no way to.

This also means Hola has not alerted users about the vulnerabilities on the platform
either — vulnerabilities thathavebeen used to target Hola users in the past
(and according to some security researchers, are still
active).

(The company also hasn't alerted its users via its Facebook or
Twitter profiles,
neither of which has been updated in several months.)

In theory, Hola could use its browser plugin to display a message
explaining the peer-to-peer system, the nature of Luminati, and
the vulnerabilities that may have compromised their computers.
When I asked if he would commit to doing so, Vilenski told me
that while it's a "good idea," but he "cannot make that promise."

The company does not want to be "technically intrusive."

Hola defends itself

Again, Vilenski claims that all the vulnerabilities Hola knows
about have been patched, and says that researchers should explain
exactly what they've found to the contrary, instead of accusing
him of negligence.

Vilenski also says it's important to keep this in proportion. He
argues that the vulnerabilities amount to "growing pains,"
similar to what has happened to other big companies in the past.
If you put a "big enough bounty" on any product, vulnerability
will be found, and Hola has "just become big enough to become
attractive to this scrutiny."

He also argues that Hola's peer-to-peer system is analogous to
Skype, which also uses a similar method to transmit data. But
Skype will only route voice data through the computers of users
on the network, while Hola uses web data — and also caches
content on users' machines, Vectra's
report says.

This means if you were being used as an exit node for someone
browsing child pornography, then that illegal material would be
being saved on your machine. Vilenski counters that it would be
unwise to use Hola for illegal activity, as they keep a map of
the traffic between nodes, and will cooperate fully with law
enforcement.

Vilenski also says that, on average, a user will only give up 6
MB of bandwidth per day using Hola, and only when their device is
idle. It will not use devices' bandwidth when not plugged in so
as not to waste battery power, for example. However, he couldn't
put a figure on what the maximum bandwidth usage might be.

The future of Hola?

Vilenski remains positive about the future of the platform. It
has seen no meaningful decrease in users as a result of the
recent news (though this may be at least in part because they
haven't been widely notified), and every developer at the company
is currently working to improve security. Hola
is also paying for a security audit from one of the "big 4
auditing companies' cyber auditing team," and launching a bounty
program to encourage researchers to discover and declare more
bugs.

Looking ahead, Hola plans to launch a B2B video product that
could cut the cost of distributing video on the internet by 90%.
The aim is to "build a great billion dollar company," Vilenski
told me.

It remains to be seen whether it can win back users' trust,
however — or convince security professionals that its services
can be relied on. And there are more immediate hurdles to
overcome: The company's Google Chrome plugin, which once had more
than 16 thousand positive reviews, has now been
removed by Google from the Chrome Web Store.